12f60c0aae72353a8284cb34b69844ea96891f98ce12a8e622a37b71afc4e95e

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15/01/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe
Size

570KB
MD5

5bb56ed5af9ec2db3a74a1a7a0cd84ad
SHA1

93cd3e97b56262bde1e571a7dbb64072a2ed3755
SHA256

12f60c0aae72353a8284cb34b69844ea96891f98ce12a8e622a37b71afc4e95e
SHA512

a5d82445e1253964076ee42a1b105083ee965d90ab5381e3d4a3546afb76e446ab5d1765cb02d1fd5281e924a31552e93af1ba01680733843973b19d055d4555
SSDEEP

6144:se34OTbY50kOjolCyibJCtj8oCjYH+SUT4/666iHvd2d+eG3aV9P9eCXI4KH9g2S:9Tb5klzj8oCjYeSBrPc+aP9eC3Zf9v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	bcicabfddbbd.exe

Loads dropped DLL 10 IoCs

pid	Process
1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe
1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe
1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
888	3064	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2604	wmic.exe
Token: SeSecurityPrivilege	2604	wmic.exe
Token: SeTakeOwnershipPrivilege	2604	wmic.exe
Token: SeLoadDriverPrivilege	2604	wmic.exe
Token: SeSystemProfilePrivilege	2604	wmic.exe
Token: SeSystemtimePrivilege	2604	wmic.exe
Token: SeProfSingleProcessPrivilege	2604	wmic.exe
Token: SeIncBasePriorityPrivilege	2604	wmic.exe
Token: SeCreatePagefilePrivilege	2604	wmic.exe
Token: SeBackupPrivilege	2604	wmic.exe
Token: SeRestorePrivilege	2604	wmic.exe
Token: SeShutdownPrivilege	2604	wmic.exe
Token: SeDebugPrivilege	2604	wmic.exe
Token: SeSystemEnvironmentPrivilege	2604	wmic.exe
Token: SeRemoteShutdownPrivilege	2604	wmic.exe
Token: SeUndockPrivilege	2604	wmic.exe
Token: SeManageVolumePrivilege	2604	wmic.exe
Token: 33	2604	wmic.exe
Token: 34	2604	wmic.exe
Token: 35	2604	wmic.exe
Token: SeIncreaseQuotaPrivilege	2604	wmic.exe
Token: SeSecurityPrivilege	2604	wmic.exe
Token: SeTakeOwnershipPrivilege	2604	wmic.exe
Token: SeLoadDriverPrivilege	2604	wmic.exe
Token: SeSystemProfilePrivilege	2604	wmic.exe
Token: SeSystemtimePrivilege	2604	wmic.exe
Token: SeProfSingleProcessPrivilege	2604	wmic.exe
Token: SeIncBasePriorityPrivilege	2604	wmic.exe
Token: SeCreatePagefilePrivilege	2604	wmic.exe
Token: SeBackupPrivilege	2604	wmic.exe
Token: SeRestorePrivilege	2604	wmic.exe
Token: SeShutdownPrivilege	2604	wmic.exe
Token: SeDebugPrivilege	2604	wmic.exe
Token: SeSystemEnvironmentPrivilege	2604	wmic.exe
Token: SeRemoteShutdownPrivilege	2604	wmic.exe
Token: SeUndockPrivilege	2604	wmic.exe
Token: SeManageVolumePrivilege	2604	wmic.exe
Token: 33	2604	wmic.exe
Token: 34	2604	wmic.exe
Token: 35	2604	wmic.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe
Token: SeIncreaseQuotaPrivilege	2156	wmic.exe
Token: SeSecurityPrivilege	2156	wmic.exe
Token: SeTakeOwnershipPrivilege	2156	wmic.exe
Token: SeLoadDriverPrivilege	2156	wmic.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 1696 wrote to memory of 3064	1696	5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe	28
PID 3064 wrote to memory of 2604	3064	bcicabfddbbd.exe	29
PID 3064 wrote to memory of 2604	3064	bcicabfddbbd.exe	29
PID 3064 wrote to memory of 2604	3064	bcicabfddbbd.exe	29
PID 3064 wrote to memory of 2604	3064	bcicabfddbbd.exe	29
PID 3064 wrote to memory of 2720	3064	bcicabfddbbd.exe	32
PID 3064 wrote to memory of 2720	3064	bcicabfddbbd.exe	32
PID 3064 wrote to memory of 2720	3064	bcicabfddbbd.exe	32
PID 3064 wrote to memory of 2720	3064	bcicabfddbbd.exe	32
PID 3064 wrote to memory of 2156	3064	bcicabfddbbd.exe	34
PID 3064 wrote to memory of 2156	3064	bcicabfddbbd.exe	34
PID 3064 wrote to memory of 2156	3064	bcicabfddbbd.exe	34
PID 3064 wrote to memory of 2156	3064	bcicabfddbbd.exe	34
PID 3064 wrote to memory of 2496	3064	bcicabfddbbd.exe	36
PID 3064 wrote to memory of 2496	3064	bcicabfddbbd.exe	36
PID 3064 wrote to memory of 2496	3064	bcicabfddbbd.exe	36
PID 3064 wrote to memory of 2496	3064	bcicabfddbbd.exe	36
PID 3064 wrote to memory of 2532	3064	bcicabfddbbd.exe	38
PID 3064 wrote to memory of 2532	3064	bcicabfddbbd.exe	38
PID 3064 wrote to memory of 2532	3064	bcicabfddbbd.exe	38
PID 3064 wrote to memory of 2532	3064	bcicabfddbbd.exe	38
PID 3064 wrote to memory of 888	3064	bcicabfddbbd.exe	40
PID 3064 wrote to memory of 888	3064	bcicabfddbbd.exe	40
PID 3064 wrote to memory of 888	3064	bcicabfddbbd.exe	40
PID 3064 wrote to memory of 888	3064	bcicabfddbbd.exe	40

C:\Users\Admin\AppData\Local\Temp\5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe
"C:\Users\Admin\AppData\Local\Temp\5bb56ed5af9ec2db3a74a1a7a0cd84ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\bcicabfddbbd.exe
  C:\Users\Admin\AppData\Local\Temp\bcicabfddbbd.exe 2-2-4-9-0-8-2-2-5-3-9 LU5FOz0qNi4xHSZRUz5HSTw7LhssRUNSU0ZSQ0dCOC4XLUJFSlRBQjsuNCs0His6STw7LhssR1BNQExDTF1HPzoqMzU0Fy9LQ1BRQkldU05DPWBycms3Ji1xYWl2JnJmYCpYbm4pW2FsXyxka11tHis6TEFBSURBNB4tQCg9JS8eKkEpOystFy88MTsoLhctQjA0LSkeLT8yNDMwMykzGC1OTUw7U0FQVlBKR1Q8QFA7HitHUkdCUz5RVkNTSDg9GC1OTUw7U0FQVk45S0M4SmBhcGtqb15yIy0tSmNhcWlpbHcjLS08cXFhZXRhX2puHSZDVkFWVUpKO2Nxa244KyZta2MsX2lqY3ByYGNdLGtkYGltcWtddCZhbWgsW211amNvWWItPCwqLTYrODMwREQ9QykrLy0pMiUyNj0xJD9EMictPTIyQTM7QTA0OUQwLWNpcmotX2lbNiwta25iYGxxcFhsZCxjc2IXLUNUPF87S0JHRkVDOxwmSEdRUlo/SU1VTzxSNTAeKlE/P0xHUE9NXVNNSTQeLVJEPSgeLT9QKDseK0lVRlJHSEJWVUNIOk9FQ0dIPj5DU05DPRgtR05cSVNMUEBNPTtybXJcHi1OPFRNUExESz5dU088UldCP1RQNDAeKz9JPENWOC4XLUdPVkRRTD9IRjpdQ0o6UlFOUkBBNGRfaGplGC1CSlRFSk09O19BTjs0MyUwMywlMSg3LCwzJx4tUEBNPTsvLy8pMjMvLzEvHi0/TE5MSks4RFdSR0hCNC8tLi8vKi4vMCcpOC4vMTMvKE5I
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705280119.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705280119.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705280119.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705280119.txt bios get version
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81705280119.txt bios get version
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81705280119.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcicabfddbbd.exe

Filesize
822KB

MD5
5141d476ac05ad8ac321c2a0da4a3a45

SHA1
b3d1e07f1334b7a0da08448fbc6afd5549149760

SHA256
a5a1cc8d4f6a29fe5dbf64053b6d51bbd0fece3792ea6da702dfbd78cb1b81d8

SHA512
1ec6dec1e780e395c655242887ea978ab19ad8507c25e1f37d344a16d7e36902c26ccbd512ee4d6f94d7611bb3da298a342f6562cdff6f81f1741061bc8b68de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8B21.tmp\ccf.dll

Filesize
104KB

MD5
c87a0ea6f1d3bd17550b6df561cb3246

SHA1
dea66f545f92acd8e6fb7d0279d9226640e11148

SHA256
7a5ea04b32a29da1ea26936ecd7bad4ebd05414bda8a03e92e5277ab5ee6fdda

SHA512
be97a43838caa2159a3588f54a929d57b9cd60e54d7b3c4b3d753d27172215638837cf3647e46fde11a3836ad23677d1bb1b98fe6089793383228e77edc7427e

Download Submit
\Users\Admin\AppData\Local\Temp\nso8B21.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit